Better Balance Efficiency, Security for GAMP 5 Category 1 Infrastructure Software

More life science companies than ever are coming to rely upon digital solutions. Today’s digitalization advancements are helping companies optimize and centralize their production activities, driving improvements in process quality and product safety. While the value of digital transformation is clear, implementing it while staying compliant with GxP standards is challenging. That’s because an investment and GAMP 5 category 1 software tools and IT infrastructure requires some level of reliance upon outside vendors that aren’t GxP-regulated.

Correct application of software tools and IT infrastructure can strengthen an organization, ensuring a robust, reliable, and secure system. However, bad practices have the potential to open a breach of vulnerable information. It’s up to life science companies to strike a balance between security and efficiency to ensure an adequate state of control is maintained.

The second edition of the GAMP 5 Good Practice Guide: A Risk-Based Approach to Compliant GxP Computerized systems, published earlier this year, offers fresh insight into the use of software tools and the importance of IT infrastructure as support and service in compliance with GxP Standards. In this article, we will address GAMP 5 recommendations for putting processes in place for implementing and deploying digital solutions in a GxP-regulated environment.

New guidance for GAMP 5 Category 1

ISPE’s updated GAMP 5 introduces new content focusing on IT infrastructure and software tools that fall under GAMP 5 category 1, infrastructure software. Most of these IT infrastructure and software tools are effectively off-the-shelf purchases. GAMP 5 category 1 software includes tools used for testing or data masking. These non-regulated systems and tools also include cloud services, infrastructure software, and software tools that support computer system life cycle activities that do not impact patient health or product quality.

ISPE data integrity experts say that because GAMP 5 category 1 software does not store or create data, these tools can be managed using good IT practices and routine assessments. In other words, category 1 solutions don’t need to be validated, only qualified. However, that doesn’t mean life sciences companies should haven’t a practice in place for ensuring software and infrastructure security.

GAMP 5’s advice in this area of non-validation is to use routine company assessment and assurance practices, along with good IT practices for non-GxP regulated systems and tools.

These GAMP compliance measures serve to verify the effectiveness and security of the tool or cloud service. The update GAMP 5 provides similar guidance on service provider relationships and other non-GxP tools.

Routine assessments and good IT practices for GAMP 5 category 1 software 

ISPE recommends a simple strategy for risk management for IT infrastructure and software tools procured by an organization. The recommended risk management strategy includes attention to each of the following steps:

• Tool/service selection. An initial evaluation of service providers is vital for reducing risk.
• Risk assessment.
• Inventory/deployment.
• Installation and configuration.
• Lifecycle management and continual improvement will continue until decommissioning. To better monitor this service over time, it is important to define key performance indicators early.

Component-based infrastructure is generally perceived as having less risk than software applications. Regular assessments and assurance practices, along with good IT practices, should be sufficient to handle these areas.

The updated GAMP 5 also has something to say about the role of quality when it comes to IT infrastructure. To ensure the efficiency of infrastructure implementation and updates, this is one area where the quality unit should have a more “hands-off” role.

Instead, the quality unit and IT system owners should establish an IT Quality function that ensures IT processes support a state of control and that IT system owners know when to inform the quality unit in the event of a change. ISPE recommends that QA does not get involved with technical changes or microcode updates. Instead, QA should ensure quality processes are followed according to the IT quality framework defined by quality and IT system owners.

Striking a delicate balance

The 2nd edition of GAMP 5 focuses on the subtleties of using IT as a service, whether that’s IaaS, PaaS, SaaS, or something else entirely. It’s simple but critical guidance for clarifying how to handle a delicate area.

Since most service providers are not GxP regulated—with the cloud being a clear example—it is important to ensure an adequate state of control is maintained. However, it’s also important to recognize that regular assessments and good IT practices are sufficient to ensure control for these tools that do not directly support GxP product life cycle activities and infrastructure software. The second edition of GAMP 5 clarifies that these activities should not be viewed with the same rigor as validation activities. Rather, these activities should focus on continually examining available IT infrastructure and tools to answer the question: “What can we do better?”

GxP-CC offers advice on a range of topics from computer system validation, data integrity, digital compliance, cybersecurity, supplier management, QMS, and more. For further support contact us today.

For additional insight into GAMP 5, 2^nd edition, changes, visit the GxP-CC blog.